THE IRS2GO SMARTPHONE APPLICATION IS
SECURE, BUT DEVELOPMENT PROCESS IMPROVEMENTS ARE NEEDED

Issued on August 29, 2011

Highlights

Highlights of Report Number: 2011-20-076 to the Internal Revenue Service Chief
Technology Officer.

IMPACT ON TAXPAYERS

The
Internal Revenue Service (IRS) developed the IRS2GO mobile application for the
Apple iPhone® and the Google Android® smartphones. The
application was successfully released to the public on January 20, 2011,
and 147,205 iPhone users and 178,773 Android
users had signed up as of May 15, 2011, and March 1, 2011, respectively.Although the IRS2GO application is secure,
enhancements in the development process could be made for future mobile
applications to ensure taxpayer privacy and security.

WHY TIGTA DID THE AUDIT

This audit was
initiated because the IRS2GO application was the first mobile application
developed by the IRS, and it allows the user to check on the status of his or
her tax refund and receive tax tips.Our
overall objective was to determine whether the IRS adequately tested and
secured the IRS2GO smartphone application.

WHAT TIGTA FOUND

The IRS2GO application adequately secures
data communications and does not store sensitive or Personally Identifiable
Information on the smartphone.The IRS2GO application is available only from
the Apple App Store or the Android Market.Smartphone users should ensure they are downloading this application
from one of these two sites.

TIGTA found that appropriate processes
were not followed for using a nonapproved programming language and open source
software in the development of the IRS2GO application.Management was aware of the requirement to
request waivers, but advised it made a risk-based decision not to pursue
waivers in consideration of time constraints for the project.However, the IRS could not provide any
documentation of the risk-based decision and informed us that it was a verbal
decision.

TIGTA also found that documents required
to authorize releasing the IRS2GO application to the public were not obtained
until after the application was released. While the IRS2GO application did not have any
significant security issues when it was released to the public, using a system
development approach that does not comply with Office of Management and Budget
Circular A-130 regulations increases the risk that applications released to the
public may contain security or privacy weaknesses.

WHAT TIGTA RECOMMENDED

TIGTA recommended that
the Associate Chief Information Officer, Enterprise Services, should ensure
that waivers are obtained prior to deployment when applicable, risk‑based
decisions are clearly documented, and updates to the Plan of Action and Milestones are addressed within the appropriate
time period.In addition, the Associate
Chief Information Officer, Enterprise Services, should coordinate the review of
open source technologies for consideration of approval for use in future
application development efforts and ensure that all system development
activities follow an approach that is compliant with Office of Management and
Budget Circular A-130.

In their response to the report, IRS officials agreed with the recommendations.In developing future mobile applications, the
IRS plans to obtain the appropriate waivers prior to deployment, generate
appropriate documentation for any risk-based decision, timely address appropriate actions, and continue to review
proprietary and open source technologies.The IRS also plans to adhere to the current limited-use approval process
and Office of Management and Budget Circular A-130 for future pilot
innovative projects.

READ THE
FULL REPORT

To view the report,
including the scope, methodology, and full IRS response, go
to: